I'm hosting my services via ECS on AWS and I'm having issues regarding the CSRF token not being passed through. They live behind the AWS Application Load balancer, which has the certificate of the domain name, which thus forces the https connection. Hydra is hosted under auth.identity.example.com and Kratos at identity.example.com, the self-service UI at ui.identity.example.com. Even though setting the following in the Kratos config:

session:
  lifespan: 24h
  cookie:
    domain: <http://example.com|example.com>
    same_site: None

or

session:
  lifespan: 24h
  cookie:
    domain: <http://identity.example.com|identity.example.com>
    same_site: None

It still does not persist on the ui.example.com domain name. I was wondering if people have a similar setup? And how they did it. Or what I'm possibly doing wrong

I have a similar setup for an example app (not a real-life use case) on fly.io and there it works without issue - so I am wondering if somehow AWS load balancer strips the header or something? you do send the csrf token from the frontend ui.identity to kratos at identity.example right?

When looking at my code:

loginChallenge := r.URL.Query().Get("login_challenge")
	flowId := r.URL.Query().Get("flow")
	language := translations.GetPreferredLanguage(r)

	if loginChallenge != "" {
		kratosBrowserLoginUrl := fmt.Sprintf("%s/self-service/login/browser?login_challenge=%s", kratosReferenceUrl, loginChallenge)
		http.Redirect(w, r, kratosBrowserLoginUrl, http.StatusFound)
		return
	}

	kratosLoginFlowRequest := api.kratosClient.FrontendAPI.GetLoginFlow(r.Context())

	kratosLoginFlowRequest = kratosLoginFlowRequest.Id(flowId)
	kratosLoginFlowRequest = kratosLoginFlowRequest.Cookie(r.Header.Get("Cookie"))

	kratosLoginFlow, resp, err := api.kratosClient.FrontendAPI.GetLoginFlowExecute(kratosLoginFlowRequest)
	if err != nil {
		slog.Error("Could not create browser request", slog.String("error", err.Error()))
		respondWithError(w, language, http.StatusInternalServerError)
		return
	}

I stumble upon the following log in AWS:

{
  "time": "2025-02-12T16:00:38.216300031Z",
  "level": "ERROR",
  "msg": "Could not create browser request",
  "error": "403 Forbidden"
}

what error if any do you see in Kratos?

So it looks like it was able to reach hydra from these logs:

i meant manually including the CSRF cookie in a direct request to Kratos because it might get lost between frontend and Kratos, but it seems to be there. maybe its connected to the Hydra/Kratos integration - tbh I dont really have experience with that when selfhosting 🤔

Do you have any idea as to why the domain is different for the csrf token? Because this is the config it uses:

session:
  lifespan: 24h
  cookie:
    domain: <http://stag.thommie.be|stag.thommie.be>
    same_site: None

But it seems to ignore the domain and samesite settings

@quick-addition-90714 Here are some more resources that might help: • https://www.ory.sh/docs/kratos/debug/csrf • https://www.ory.sh/docs/troubleshooting/csrf especially this part: https://www.ory.sh/docs/kratos/debug/csrf#running-on-separate-subdomains some more tips from our bot • Cookies work best on the same domain, and while it's possible to get them working across subdomains, it can be tricky. • AWS Application Load Balancer: The AWS Application Load Balancer might be interfering with the cookie settings. Ensure that it's configured to pass through all necessary headers and cookies without modification. • when using

SameSite=None

, the cookies must also have the

Secure

flag set. Ensure that your configuration includes

secure: true

session:
  cookie:
    domain: example.com
    same_site: None
    secure: true

let me know if that helps

Aren't they set to secure by default? I think I tried it once but then my kratos instance wouldn't start. Anyway, thanks for the help I think I might use an nginx instance and have kratos and hydra prefixes in the paths to route traffic to those containers